[Bug 1039593] [NEW] squid3 lost compiler hardening options in last update, but shouldn't have

Jamie Strandboge jamie at ubuntu.com
Tue Aug 21 15:27:21 UTC 2012 

Public bug reported:

This bug is against squid3 for now, but this may be a bug in the build
hardening options.

3.1.19-1ubuntu3 reinstated compiler hardening options such that PIE and BIND_NOW are in effect. This can be seen with 'hardening-check':
$ mkdir /tmp/squid3-old
$ cd /tmp/squid3-old
$ dpkg-deb -x /tmp/squid3_3.1.19-1ubuntu3_amd64.deb files
$ hardening-check ./files/usr/sbin/squid3
./files/usr/sbin/squid3:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

However, 3.1.19-1ubuntu3.12.04.1 lost PIE and BIND_NOW, even though the only change was to the upstart job (see attached debdiff):
$ mkdir /tmp/squid3-new
$ cd /tmp/squid3-new
$ dpkg-deb -x /var/cache/apt/archives/squid3_3.1.19-1ubuntu2_amd64.deb files
$ hardening-check ./files/usr/sbin/squid3./files/usr/sbin/squid3:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!

Using readelf, we see that the ELF is not marked as DYN (dynamic):
$ readelf -lW /tmp/squid3-new/files/usr/sbin/squid3 |grep 'Elf file type'
Elf file type is EXEC (Executable file)

But the old one is:
$ readelf -lW /tmp/squid3-old/files/usr/sbin/squid3 |grep 'Elf file type'
Elf file type is DYN (Shared object file)

Comparing the build logs did not reveal anything significant that I
could see.

** Affects: squid3 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/1039593

Title:
  squid3 lost compiler hardening options in last update, but shouldn't
  have

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1039593/+subscriptions

More information about the Ubuntu-server-bugs mailing list